Attacks & Vulnerabilities
|
The Dangers of Reusing Protobuf Definitions: Critical Code Execution in protobuf.js (GHSA-xq3m-2v4x-88gg) (8 minute read)
Endor Labs discovered a critical remote code execution vulnerability (GHSA-xq3m-2v4x-88gg, CVSS 9.4) in protobuf.js, a widely deployed serialization library often transitively included via @grpc/proto-loader, Firebase, and Google Cloud SDKs. The flaw exists because the library concatenates unvalidated schema type names directly into JavaScript source code and evaluates them via the Function constructor, allowing attackers who supply a malicious configuration file to achieve unauthenticated code execution when the target application processes its first message. Defenders must immediately upgrade to protobufjs 8.0.1 or 7.5.5, audit transitive dependencies, and treat dynamic schema-loading endpoints like Root.fromJSON as untrusted execution surfaces.
|
Vuln in Google's Antigravity AI agent manager could escape sandbox, give attackers remote code execution (2 minute read)
Pillar Security discovered a now-patched remote code execution vulnerability in Google's Antigravity AI developer tool that allows attackers to entirely bypass the application's restrictive Secure Mode sandbox. The exploit uses direct or indirect prompt injections to abuse a native file-searching tool called "find_by_name", which the agent executes directly before Secure Mode can evaluate the underlying shell command. Organizations deploying agentic features must move beyond sanitization-based controls and rigorously audit every native tool parameter that reaches a shell command to prevent external content from hijacking internal systems.
|
Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 (2 minute read)
Three providers reported separate incidents: North Texas Behavioral Health Authority saw a 2025 network intrusion with possible data exfiltration, including SSNs, impacting 285,000 people. Southern Illinois Dermatology faced a November 2025 ransomware incident tied to Insomnia, resulting in the leak of patient data affecting 160,000. In 2025, Saint Anthony Hospital had two compromised email accounts that exposed the personal and health information of 146,000 patients.
|
|
Dissecting Sapphire Sleet's macOS intrusion from lure to compromise (25 minute read)
Microsoft Threat Intelligence detailed a North Korean Sapphire Sleet campaign that weaponizes a fake Zoom SDK Update.scpt, abusing trusted macOS Script Editor and a cascading curl-to-osascript chain (user agents mac-cur1 through mac-cur5) to deploy com.apple.cli, services, icloudz, and com.google.chromes.updaters backdoors while harvesting credentials via a spoofed systemupdate.app dialog. The actor directly manipulates the user-level TCC.db through Finder's Full Disk Access to silently grant osascript AppleEvents permission, then exfiltrates Telegram sessions, Chromium wallet extension data (Phantom, TronLink, Coinbase, OKX, Solflare, Rabby, Backpack, and Sui), Ledger and Exodus wallets, keychains, SSH keys, and Apple Notes to 104.145.210[.]107:8443. Defenders should block .scpt execution from the internet, monitor for curl piped into osascript/sh/bash with non-standard user-agent strings, and alert on writes to ~/Library/Application Support/com.apple.TCC/TCC.db, and audit /Library/LaunchDaemons for com.google.webkit.service.plist.
|
P4WNED: How Insecure Defaults in Perforce Expose Source Code Across the Internet (20 minute read)
Public scans of 6,121 Perforce servers found that 72% allowed unauthenticated read access, 21% exposed read-write paths, and 4% had passwordless super‑user accounts with potential for trigger-based RCE. The research walks through five default misconfigurations: auto account creation, unauthenticated user listing, passwordless accounts, self‑service initial passwords, and a now-patched hidden “remote” user that enabled remote‑depot sync without auth. It then shows real exposures across game studios, medical and financial vendors, government, and supply‑chain providers, and provides concrete p4 configure baselines (security=4, dm.user.noautocreate=2, dm.user.setinitialpasswd=0, and others) plus open-source tools (P4WNED, P4GHOST, Nuclei templates, and Metasploit modules) to let you audit and lock down any P4 footprint.
|
LLM-Tier Personal Computer Security (6 minute read)
With the advancement of AI agents and LLMs, cybersecurity threats such as supply-chain attacks and convincing phishing are becoming commonplace and relevant for individuals. To combat this, the author is using a password manager, 2FA via mobile TOTP, a hardware cryptocurrency wallet, and redundant backups. They are also exploring the use of hardware security keys for critical services, isolating non-public network services, firewalling or sandboxing software, and hardening financial accounts.
|
|
Trevex (GitHub Repo)
Trevex is a black-box detection framework developed by CISPA researchers for discovering data-flow transient execution vulnerabilities on x86 architectures. The fuzzer successfully reproduced known flaws like Downfall and Meltdown, and discovered novel vulnerabilities including Floating-Point Divider State Sampling (FP-DSS, CVE-2025-54505) on AMD Zen 1/Zen+ and a new variant of LVI-NULL. It includes tools for local fuzzing, multi-machine orchestration via SSH, and result classification, though defenders should note it currently assumes an Ubuntu environment with the apt package manager.
|
CHIPSEC (GitHub Repo)
CHIPSEC is a framework for analyzing the security of PC platforms, including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities.
|
SatGuard (GitHub Repo)
SatGuard is an open-source toolkit for analyzing satellite telemetry and detecting GPS spoofing/jamming attacks
|
|
Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft (1 minute read)
Tyler Buchanan, a 24-year-old Scottish national linked to the Scattered Spider cybercrime group (UNC3944), pleaded guilty in a US court to wire fraud conspiracy and aggravated identity theft. Buchanan and his co-conspirators deployed SMS phishing kits to harvest corporate credentials into a Telegram channel, then weaponized that stolen data to execute SIM swap attacks against individuals, bypassing two-factor authentication to drain cryptocurrency wallets. The scheme netted at least $8 million in stolen virtual currency, and Buchanan faces up to 22 years in federal prison at his August sentencing, following the recent 10-year sentence of fellow Scattered Spider member Noah Michael Urban.
|
Contrary to popular superstition, AES 128 is just fine in a post-quantum world (6 minute read)
AES-128 remains safe against quantum brute force, since Grover's algorithm cannot be parallelized like classical search, and realistic constraints push attack cost near 2^104 operations. Ultimately, NSA's AES-256 mandate targets uniform high security, and stresses that symmetric crypto can largely stay put while teams prioritize post-quantum replacements for vulnerable asymmetric schemes.
|
|
Love TLDR? Tell your friends and get rewards! |
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
| Track your referrals here. |
|
|
|
0 Comments